Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice David Adrian¶ Karthikeyan Bhargavan∗ Zakir Durumeric¶ Pierrick Gaudry† Matthew Green§ J. Alex Halderman¶ Nadia Heninger‡ Drew Springall¶ Emmanuel Thomé† Luke Valenta‡ Benjamin VanderSloot¶ Eric Wustrow¶ Santiago Zanella-Béguelink Paul Zimmermann† ∗ INRIA Paris-Rocquencourt † INRIA Nancy-Grand Est, CNRS, and Université de Lorraine k Microsoft Research ‡ University of Pennsylvania § Johns Hopkins ¶University of Michigan For additional materials and contact information, visit WeakDH.org. ABSTRACT coded, or widely shared Diffie-Hellman parameters has the We investigate the security of Diffie-Hellman key exchange as effect of dramatically reducing the cost of large-scale attacks, used in popular Internet protocols and find it to be less secure bringing some within range of feasibility today. than widely believed. First, we present Logjam, a novel flaw The current best technique for attacking Diffie-Hellman in TLS that lets a man-in-the-middle downgrade connections relies on compromising one of the private exponents (a, b) by computing the discrete log of the corresponding public to “export-grade” Diffie-Hellman. To carry out this attack, a b we implement the number field sieve discrete log algorithm. value (g mod p, g mod p). With state-of-the-art number After a week-long precomputation for a specified 512-bit field sieve algorithms, computing a single discrete log is more group, we can compute arbitrary discrete logs in that group difficult than factoring an RSA modulus of the same size. in about a minute. We find that 82% of vulnerable servers use However, an adversary who performs a large precomputation a single 512-bit group, allowing us to compromise connections for a prime p can then quickly calculate arbitrary discrete logs to 7% of Alexa Top Million HTTPS sites. In response, major in that group, amortizing the cost over all targets that share browsers are being changed to reject short groups. this parameter. Although this fact is well known among We go on to consider Diffie-Hellman with 768- and 1024-bit mathematical cryptographers, it seems to have been lost groups. We estimate that even in the 1024-bit case, the com- among practitioners deploying cryptosystems. We exploit it putations are plausible given nation-state resources. A small to obtain the following results: number of fixed or standardized groups are used by millions Active attacks on export ciphers in TLS. We introduce of servers; performing precomputation for a single 1024-bit Logjam, a new attack on TLS by which a man-in-the-middle group would allow passive eavesdropping on 18% of popular attacker can downgrade a connection to export-grade cryp- HTTPS sites, and a second group would allow decryption tography. This attack is reminiscent of the FREAK attack [7] of traffic to 66% of IPsec VPNs and 26% of SSH servers. A but applies to the ephemeral Diffie-Hellman ciphersuites and close reading of published NSA leaks shows that the agency’s is a TLS protocol flaw rather than an implementation vulner- attacks on VPNs are consistent with having achieved such ability. We present measurements that show that this attack a break. We conclude that moving to stronger key exchange applies to 8.4% of Alexa Top Million HTTPS sites and 3.4% methods should be a priority for the Internet community. of all HTTPS servers that have browser-trusted certificates. To exploit this attack, we implemented the number field 1. INTRODUCTION sieve discrete log algorithm and carried out precomputation for two 512-bit Diffie-Hellman groups used by more than Diffie-Hellman key exchange is widely used to establish 92% of the vulnerable servers. This allows us to compute session keys in Internet protocols. It is the main key exchange individual discrete logs in about a minute. Using our discrete mechanism in SSH and IPsec and a popular option in TLS. log oracle, we can compromise connections to over 7% of Top We examine how Diffie-Hellman is commonly implemented Million HTTPS sites. Discrete logs over larger groups have and deployed with these protocols and find that, in practice, been computed before [8], but, as far as we are aware, this it frequently offers less security than widely believed. is the first time they have been exploited to expose concrete There are two reasons for this. First, a surprising number vulnerabilities in real-world systems. of servers use weak Diffie-Hellman parameters or maintain We were also able to compromise Diffie-Hellman for many support for obsolete 1990s-era export-grade crypto. More other servers because of design and implementation flaws and critically, the common practice of using standardized, hard- configuration mistakes. These include use of composite-order subgroups in combination with short exponents, which is vulnerable to a known attack of van Oorschot and Wiener [51], Permission to make digital or hard copies of part or all of this work for personal or and the inability of clients to properly validate Diffie-Hellman classroom use is granted without fee provided that copies are not made or distributed parameters without knowing the subgroup order, which TLS for profit or commercial advantage and that copies bear this notice and the full cita- tion on the first page. Copyrights for third-party components of this work must be has no provision to communicate. We implement these honored. For all other uses, contact the Owner/Author(s). Copyright is held by the attacks too and discover several vulnerable implementations. owner/author(s). Risks from common 1024-bit groups. We explore the im- CCS’15, October 12–16, 2015, Denver, Colorado, USA. ACM 978-1-4503-3832-5/15/10. plications of precomputation attacks for 768- and 1024-bit DOI: http://dx.doi.org/10.1145/2810103.2813707. groups, which are widely used in practice and still considered polynomial linear sieving descent selection algebra y, g p log db x precomputation individual log Figure 1: The number field sieve algorithm for discrete log consists of a precomputation stage that depends only on the prime p and a descent stage that computes individual logs. With sufficient precomputation, an attacker can quickly break any Diffie-Hellman instances that use a particular p. secure. We provide new estimates for the computational re- sieve algorithm for factoring [12,31], and in fact many parts of sources necessary to compute discrete logs in groups of these the implementations can be shared. The general technique is sizes, concluding that 768-bit groups are within range of aca- called index calculus and has four stages with different compu- demic teams, and 1024-bit groups may plausibly be within tational properties. The first three steps are only dependent range of state-level attackers. In both cases, individual logs on the prime p and comprise most of the computation. can be quickly computed after the initial precomputation. First is polynomial selection, in which one finds a polyno- We then examine evidence from published Snowden docu- mial f(z) defining a number field Q(z)/f(z) for the computa- ments that suggests NSA may already be exploiting 1024-bit tion. (For our cases, f(z) typically has degree 5 or 6.) This Diffie-Hellman to decrypt VPN traffic. We perform measure- parallelizes well and is only a small portion of the runtime. ments to understand the implications of such an attack for In the second stage, sieving, one factors ranges of integers popular protocols, finding that an attacker who could perform and number field elements in batches to find many relations of precomputations for ten 1024-bit groups could passively de- elements, all of whose prime factors are less than some bound crypt traffic to about 66% of IKE VPNs, 26% of SSH servers, B (called B-smooth). Modern implementations use special-q 16% of SMTP servers, and 24% of popular HTTPS sites. lattice sieving, which for each special q explores a sieving 2I Mitigations and lessons. As a short-term countermeasure region of 2 candidates, where I is a parameter. Sieving in response to the Logjam attack, all mainstream browsers parallelizes well since each special q is handled independently are implementing a more restrictive policy on the size of of the others, but is computationally expensive, because we Diffie-Hellman groups they accept. We further recommend must search through and attempt to factor many elements. that TLS servers disable export-grade cryptography and The time for this step depends on heuristic estimates of carefully vet the Diffie-Hellman groups they use. In the the probability of encountering B-smooth numbers in this longer term, we advocate that protocols migrate to stronger search; it also depends on I and on the number of special q Diffie-Hellman groups, such as those based on elliptic curves. to consider before having enough relations. In the third stage, linear algebra, we construct a large, sparse matrix consisting of the coefficient vectors of prime 2. DIFFIE-HELLMAN CRYPTANALYSIS factorizations we have found. A nonzero kernel vector of the Diffie-Hellman key exchange was the first published public- matrix modulo the order q of the group will give us logs of key algorithm [14]. In the simple case of prime groups, many small elements. This database of logs serves as input Alice and Bob agree on a prime p and a generator g of a to the final stage. The difficulty depends on q and the matrix a multiplicative subgroup modulo p. Alice sends g mod p, size and can be parallelized in a limited fashion. b Bob sends g mod p, and each computes a shared secret The final stage, descent, actually deduces the discrete log ab g mod p. While there is also a Diffie-Hellman exchange of the target y.
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages13 Page
-
File Size-